While network security teams were busy with their usual tasks, a massive wave of suspicious activity crashed against Palo Alto Networks‘ systems. GreyNoise researchers detected nearly 24,000 unique IP addresses scanning PAN-OS GlobalProtect login portals in an unprecedented surge. The activity exploded to 20,000 IPs daily from March 17 to March 26, 2025. Not exactly a quiet week for the security folks at Palo Alto.
Most of these digital prowlers came from the United States and Canada. Funny how the bad guys don’t always hide behind exotic foreign IPs anymore. The attackers also operated from Finland, the Netherlands, and Russia. Their targets? Mostly US-based systems, with smaller numbers in the UK, Ireland, Russia, and Singapore. This wasn’t random. Someone coordinated this.
Of the scanning IPs, a whopping 23,800 were flagged as suspicious. But here’s the kicker – 154 were confirmed malicious. Not just “maybe bad,” but definitively malicious. That’s the digital equivalent of catching burglars with lockpicks outside your door.
When attackers show up 24,000 strong at your digital doorstep, 154 of them aren’t just casing the joint—they’re ready to break in.
Previous patterns tell us something uncomfortable. These scanning surges typically precede vulnerability disclosures by 2-4 weeks. It’s like clockwork. First comes the scanning, then comes the exploit. Over the past two years, attackers have repeatedly targeted older vulnerabilities in similar systems.
The scale suggests preparation for something bigger. Think of it as reconnaissance before an invasion. These aren’t script kiddies playing around – this is calculated. Threat actors are positioning themselves for potential exploitation campaigns, probing defenses and identifying weak points. Modern supply chain attacks increasingly exploit software dependencies, making this coordinated scanning effort particularly concerning.
What makes this particularly concerning is the focus on GlobalProtect portals – literal gateways into corporate networks. Break that, and you’ve got the keys to the kingdom. This follows a November incident where Palo Alto Unit 42 discovered an authentication bypass vulnerability rated at a critical 9.3 severity.
Security analysts are speculating about zero-day vulnerabilities. Because nothing says “happy Monday” like discovering attackers might know something about your systems that you don’t. The most alarming spike occurred on March 26, with 2,580 unique IPs attempting access in a single day.
The timing aligns with other PAN-OS crawler activity that peaked on March 26. Coincidence? Probably not.
For organizations running these systems, it’s time to check those logs. Review activity since mid-March. Block those malicious IPs. And maybe, just maybe, update your resume if you’ve been putting off those security patches. Because when 24,000 IPs come knocking, they’re not selling cookies.
